A Data Loss Prevention (DLP) system includes an automated method for tracking changes to a security classification (e.g., content category) associated with an artifact to determine whether an attempt is being made to subvert a DLP policy. The method exploits the basic principle that, depending on context, the classification of a particular artifact, or a change to an existing classification, may indicate an attempt to subvert the policy. According to the method, an artifact classification state machine is implemented within a DLP system. For each policy-defined content category on each artifact, the machine identifies a content category change that may be of interest, as defined by policy. When a change in a classification has occurred, an artifact notification event (or, more generally, a notification of the change in classification) is issued.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising: configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states; classifying content of an artifact into a security classification identified in the DLP policy; determining, in association with a DLP component executing on a hardware element and using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the classification of the artifact has occurred, generating a notification of the change in the security classification.
2. The method as described in claim 1 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
3. The method as described in claim 2 wherein a transition to the classified state generates a classification event.
4. The method as described in claim 2 wherein a transition from the classified state to the declassified state generates a declassification event.
5. The method as described in claim 2 wherein a transition to the unclassified state as defined by the policy generates an action as defined in the policy.
6. The method as described in claim 1 wherein the method is carried out in an automated manner for each classification in the policy for each of a set of artifacts.
7. The method as described in claim 6 further includes generating a classification rate event if a given number of transitions to a classified state occur for the set of artifacts.
8. Apparatus for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system including a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, comprising: a processor; computer memory holding computer program instructions that when executed by the processor perform a method comprising: configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and their associated transitions among the artifact security classification states; classifying content of an artifact into a security classification identified in the policy; determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification.
9. The apparatus as described in claim 8 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
10. The apparatus as described in claim 9 wherein a transition to the classified state generates a classification event.
11. The apparatus as described in claim 9 wherein a transition from the classified state to the declassified state generates a declassification event.
12. The apparatus as described in claim 9 wherein a transition to the unclassified state as defined by the policy generates an action as defined in the policy.
13. The apparatus as described in claim 8 wherein the method is carried out in an automated manner for each classification in the policy for each of a set of artifacts.
14. A computer program product in a non-transitory computer readable medium for detecting changes to security classifications of artifacts in a data loss prevention (DLP) system, the DLP system having a DLP policy that identifies one or more classifications and an enforcement rule associated with a classification, the computer program product holding computer program instructions which, when executed by the data processing system, perform an automated method comprising: configuring, according to the DLP policy, an artifact state machine that defines a set of artifact security classification states and associated transitions among the artifact security classification states; for each security classification in the DLP policy, for each of a set of artifacts: classifying content of the artifact into a security classification as identified in the DLP policy; determining, using the set of artifact security classification states and their associated transitions as defined in the artifact state machine, whether a change in the security classification of the artifact has occurred, the change indicative of an attempt to subvert the enforcement rule defined by the DLP policy; and if a change in the security classification of the artifact has occurred, generating a notification of the change in the classification.
15. The computer program product as described in claim 14 wherein, with respect to a given artifact, the set of artifact security classification states include an unknown state wherein no attempt has been made to classify the given artifact, an unclassified state wherein a security classification for the given artifact has been attempted but no match has been identified, a declassified state wherein a security classification for the given artifact has existed but no longer matches, and a classified state wherein a security classification has been attempted and a match has been identified.
16. The computer program product as described in claim 14 wherein the security classification is a DLP content category.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 3, 2011
August 5, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.